Like most people, I remember September 11, 2001 like it was yesterday.
It was a bright and beautiful afternoon as we drove North along the 3 headed back to Zürich, following a 10-day visit to Innsbruck, Venice, Milan and a number of other quaint countryside villages. I was visiting a good friend who had recently moved to Switzerland, and we were taking some time to enjoy Europe’s best sites. The Alps are breathtaking, no matter what time of year it is.
As we entered the city center and got closer to Andre’s apartment, we could feel the end of our trip growing closer. I was scheduled to fly out the following morning and Andre was headed back to work. As we mentally switched gears, we also switched radio stations, changing from the throbbing dance music that kept us hammering on the Autobahns to a local news broadcast. It was in German, so I only caught every fifth word.
I will never forget the look on Andre’s face.
“An airplane crashed in to the World Trade Center”, he said in his thick Dutch accent.
Simultaneously piecing together in my mind what I just heard and sorting through the possibilities of mis-translation, I immediately began rationalizing what might have happened. Once I gathered my thoughts I explained to Andre that this had happened before, and that the buildings are so big that a small Cessna wouldn’t cause much damage.
For a while I lived in New York City just three blocks South of the World Trade Center. I lived in a large apartment on the 26th floor with a balcony that overlooked the towers. I walked through World Trade South nearly every day. My apartment didn’t need paintings or artwork, I had the New York City skyline.
“It wasn’t a Cessna, it was a jumbo jet.”
For Americans, everything changed on 9/11. The inconceivable events that transpired on that day shifted everything we knew in a different direction. Finances, politics, healthcare, education, relationships – everything we knew suddenly took on a different perspective. A different priority. But none of these things changed more than our position on security.
The 9/11 Commission spent nearly three years collecting, analyzing and documenting the 585 pages of data resulting from that day and the years leading up to those horrific events. In the end, the Commission determined that there was a single condition that made the events of that day possible.
We didn’t think it could happen to us.
As simple and sad as that seems, there’s another chapter to this story. We face a much greater threat today, and we find ourselves repeating history. The infrastructure that our very existence depends on is in jeopardy, and we have put our heads in the proverbial “9/11 sand”. An exploitation or compromise of our power, water or financial networks could result in a complete collapse of society and death tolls that bin Laden himself could not imagine.
This is not science fiction. Thanks to Hurricane Irene, we have seen very recently what power and water loss of only a few days can do to a community. Now imagine this on a global scale.
By the year 2020, there will be 50 billion devices connected to the Internet. There will be tens if not hundreds of thousands of hackers and organized cybercriminals. If it took the United States ten years to track down one man moving from cave to cave, how long will it take us to dismantle an organized network of 100,000 computer hackers?
On this, the ten-year anniversary of the worst security incident in United States history, I urge you to ask yourself the following question:
What are we doing to avoid Cyber 9/11?
Cybersecurity insurance continues to be an increasingly popular investment for businesses of all types and sizes. Seen as a catch-all for the unpredictable, unreasonable or undesirable, cybersecurity insurance has become an attractive option for businesses who don’t have or don’t take the time to understand their alternatives.
But cybersecurity insurance policies, like other insurance vehicles can be tricky and expensive. They’re not a cloak of invincibility. Heck, they’re not even a security blanket. Here are just a few of the issues.
- First, cybersecurity insurance is a moving target and you may find yourself underinsured or not insured at all. The less you understand about security, your assets and your risks, the less you will understand your insurance policy. One of the most painful lessons of Hurricane Irene was in the area of insurance. We heard countless stories of homeowners who thought that their expensive flood insurance policy would cover their losses, only to find out that they weren’t covered due to some esoteric loophole. Little did these policyholders know that there are many types of flood insurance, each covering a specific condition. The same is true of cybersecurity insurance.
- Insurance can be more expensive than prevention. Insurance premiums for flood, fire and other policies are based on endless mountains of actuarial data that have been analyzed, sliced and diced such that the carrier knows exactly how much to charge for coverage. This premium ensures that the carrier will continue to make money even when its policyholders have claims. These calculations are based on statistical certainties. Because cybercrime is both immature and ever-changing, these piles of actuarial data do not exist, causing carriers to conservatively over-charge. The money you’re spending on insurance could have been better spent on avoiding the problem in the first place.
- Insurance won’t replace all assets. If insurance is your primary security mechanism for assets that are irreplaceable, you’re putting yourself and your business in jeopardy. Things like backups, historical data, documents and other sensitive or confidential assets cannot be recovered by insurance. There’s a reason that 25% of businesses that are victimized by cybercrime never recover.
- Insurance won’t protect your reputation. When your business experiences a databreach, a malware outbreak or other security incident that results in a public relations issue, no amount of insurance coverage is going to repair the damage. Understanding your risks will help you avoid an incident, paying for insurance that doesn’t help only adds salt to the wound.
Cybersecurity insurance can be a valuable defensive mechanism for businesses when applied properly. When properly understood and selected, it can address areas of risk that are difficult to manage with other controls. When misunderstood, it can compound a security incident with confusion, frustration and expenses.
If you’re considering cybersecurity, give the policy a close read. If you already have a policy, give it a closer read. The last thing you want to hear from your insurance carrier after a security incident is, “sorry Charlie”.
It is said that any threat with enough resources or motivation will eventually find a vulnerability in a system. As I watched the overflowing Hudson River decimate the park, marina and restaurant behind my office, that theory became a staggering reality.
On Sunday, Troy, NY experienced its worst flooding since 1977. With record rainfall from Hurricane Irene, many area dams were at risk of failure and creeks and rivers were over their banks. Homes were flooded and vehicles were destroyed. Boats were lost from marinas, washed down the river along with tons of trees, barrels and other debris. The crowds of people who had gathered in front of the now-underwater Dinosaur BBQ added to the chaos.
Today however, just hours after the event, our city is already getting back to normal. Walking through the areas hardest hit by the flooding, it’s clear that recovery is well underway. The crowds have dissipated, the police tape is slowly disappearing, and businesses are getting back to normal operations. This recovery is occurring in large part because the first responders, law enforcement, FEMA and DHS personnel that responded to the disaster were prepared.
No one could have anticipated that Upstate New York was to be hit by both an earthquake and a hurricane in the same week. In fact, we were probably more likely to see a unicorn. But a good Incident Response plan assumes that we won’t necessarily have all of the intelligence, resources or time that we need to counteract a threat. A good Incident Response plan can also mean the difference between a business returning to normal operations, and a total disaster.
Security incidents come in all shapes and sizes. One day you may be responding to a malware outbreak, the next day you may be responding to the $250,000 that has been siphoned out of your company’s bank account. Irrespective of the type of organization, a good Incident Response plan should address the following:
- Containment – Whether isolating the latest worm or preserving evidence of a databreach for litigation, your containment strategy will vary depending on the incident. The most important considerations in this step are minimizing damage and neutralizing the threat without affecting your downstream mitigation options. It is important to understand your threat before enacting a containment strategy – an active shooter requires different counteractions than a perimeter attack.
- Mitigation – Once the threat is contained, it should be addressed. Again an understanding of the threat is important. In many instances, expertise in evidence preservation and chain of custody is critical, particularly in situations where legal proceedings are anticipated.
- Recovery – Rebuilding systems, restoring from backups or providing counseling for employees are all essential steps in the Incident Response process. Effective recovery requires advance planning and preparation, but it will provide significant returns if done properly.
Lastly your Incident Response plan should be governed by policy and handled by a team specially trained in response procedures. It’s not unusual to outsource some of your incident handling efforts. In fact, asking an internal team to perform technical forensics tasks or to understand the intricacies of evidence preservation could be like asking the Pakistani Army to capture bin Laden – it could get very messy and leave you without the desired outcome.
I had lunch in downtown Troy today, and if I hadn’t witnessed the flooding firsthand I would’ve never guessed that large parts of the city were underground 24 hours prior. Thanks to preparation, a trained team and a good Incident Response plan, today’s pizza tasted just like any other day.